Re: [cti] Open Question to the CTI Community

[Adam Cooper <adam.cooper@digital.cabinet-office.gov.uk>]

I'm rather new to the STIX / TAXII / CybOX debate but the analogies work quite well at a high level. 

The point is clear: we need standard ways of expressing CTI content, structuring the deliverable form of that content, and distributing it to the consumer/processor etc. 

STIX and CybOX (with a little embellishment) cover the first 2 elements but there are rather more unanswered questions over the delivery element i.e. TAXII in my opinion. 

My view is that TAXII should focus on the delivery element but include the capability to do all of the Amazon type things (e.g. forming a richer information repository perhaps) if deemed appropriate by the entity running the TAXII service. I suspect the question will then shift to one of discovery as well as consumption of CTI. 

Thanks,

Adam

On 18 August 2015 at 22:33, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

I love your analogies.... I think there are very divergent camps in regards to what these three technologies should actually do.  And I think if you were to poll the core people that routinely contribute or are heavily vested in this technology, you would get wildly different answers.  

Some just want CybOX and STIX to be the idea for communicative thought, an abstract high level UML/OWL data model.  Others want it to be french with latin characters that are 12 pt font used on A4 paper.  And even others want it to be a polished system that actually does something.  

In regards to TAXII, it can be as you said, just dumb plumbing like the post office, or it can be a little more advanced like FedEx, or it can be the whole thing, like Amazon.  Obviously there should be one way of doing things, but that does not mean every person that deploys TAXII needs to be an Amazon...  Some might just want to be a Post Office or a Fedex.  One thing to point out, if TAXII does not define how to do the Amazon work, then that functionality needs to move to STIX and CybOX or some other subcommittee.  It has to live somewhere.

So I agree with you...  We need to decide what STIX, CybOX, and TAXII are going to be when they grow up. 

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 18, 2015, at 14:34, Patrick Maroney <Pmaroney@Specere.org> wrote:

Caveat: Please do not infer any negative connotations in the folllowing.  I no doubt have my views on the matter***, but do not assert anything here other than the suggestion that we really should sort out these fundamentally different perspectives out and get consensus.

There seem to be two distinct camps of thought:

(1) CybOX is  'just a language', STIX is an "Envelope/Box" that can be used to address/package letters, poetry, written, books, magazines, produced in this language, and TAXII is the means to deliver said packages (e.g. Postal Service, FedEx, etc.)

(2) All of these combined somehow form an information repository (how things are racked, stacked, and found in the warehouse) and TAXII is the "Amazon".

These are somewhat flawed analogies, but hopefully my point is clear.

So is TAXII the just Transport?....or the Warehouse, Transport, and Order Processing system?

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

*** I do have a strongly held bias that externally facing/exposed TAXII Gateways should only hold ephemeral data as long as is required to reliably "ship the package".

--

Adam Cooper

Identity Assurance Programme

Government Digital Service

125 Kingsway, London, WC2B 6NH

Tel: 07973 123 038

official: adam.cooper@digital.cabinet-office.gov.uk

official sensitive: adam.cooper@govdigital.gsi.gov.uk